Need Reg Verification

[svasutin]

I'm trying to verify some values for a sony remover, but I need to check some info out.

Wondering if anyone can help.

I don't think I can post the final remover or provide a download, but I should be able to post the algorithm and critial entries for removal.

This needs to be checked on a clean system.

Under

HKLM\System\CurrentControlSet\Enum\PCIIDE\IDEChannel\

You should have two entries, 1 for each channel

Under each key is a sub-key called Control, with a Sting called ActiveService

I need to confirm the ActiveService value should be the same as the Service key in:

HKLM\System\CurrentControlSet\Enum\PCIIDE\IDEChannel\ [channel0/1]

in other words, the values of

HKLM\System\CurrentControlSet\Enum\PCIIDE\IDEChannel\ [channel0]\Service

=

HKLM\System\CurrentControlSet\Enum\PCIIDE\IDEChannel\ [channel0]\Control\ActiveService

If someone also checked out the settings for SATA and SCSI devices it would be great

HKLM\System\CurrentControlSet\Enum\ [ SCSI | SATA ] \Service

=

HKLM\System\CurrentControlSet\Enum\ [ SCSI | SATA ] \Control\ActiveService

Thank you

Edited November 20, 2005 by svasutin

[svasutin]

Before doing this, remember you may have to re rip or re download lots of music files

Basically this is what I have

let ccs=ControlSet001 ControlSet002 CurrentControlSet

let group1=DRMSERVER LIM OCT

let group2=cor crater drmserver

for i in [ ccs ] (

for j in [ group2 ] (

for k in valueOf HKLM\System\ i \Services\$sys$ j \Count (

record infected entries for Optical

record infected entries for controllers

)

)

)

remove reg entries

hklm\software\$sys$reference

HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE

HKLM\SOFTWARE\Microsoft\WBEM\WDM

HKLM\SYSTEM\ [ ccs ] \Control\CoDeviceInstallers /v {FF646F80-8DEF-11D2-9449-00105A075F6B} /f

NOTE:

STILL LOOKING INFO {FF646F80-8DEF-11D2-9449-00105A075F6B}

remove reg entries for:

HKLM\SYSTEM\ [ CCS ] \Enum\Root\LEGACY_$sys$[ group2 ]

remove reg entries for:

HKLM\SYSTEM\%CCS%\Services\$sys$[ group2 ]

for noted controller list

Set \ActiveService Value to ..\Service Value

for optical

...

remove files and folders from

%windir%\[ system32 | system ]\$sys$filesystem

remove

%windir%\[ system32 | system ]\caj.dll

%windir%\[ system32 | system ]\drivers\%sys$cor.sys

Files I believe are associated with Sony Rootkit

$sys$DRMServer.exe

$sys$parking.exe

crater.sys

DbgHelp.dll

lim.sys

oct.sys

Unicows.dll <-only remove from $sys$filesystem

caj.dll

cor.sys

$sys$caj.dll

$sys$cor.sys